How to use CRL by PEAP authentication

wbh wbhoer at gmail.com
Fri Dec 16 12:39:42 CET 2005


On 12/16/05, Kouji Amemiya <amemiya at allied-telesis.co.jp> wrote:
> I was using the certificate published by OpenSSL, I revoked this certificate.
> (Herewith, this certificate's information was written on CRL.)
>
> And I attempted PEAP authentication by this revoked certificate,
> but authentication result was "Access-Accept".

For peap you don't use a certificate on the client (better:
supplicant) side, so it is not checked. What you seem to have revoked
is the certficate the server presents to the supplicant, which has no
part in deciding to authorize/authenticate the user.

Why the supplicant doesn't refuse the supposedly revoked server
certificate would be interesting (you could look into your setup, if
the supplicant did check for the latest CRL of the certicate's
issuer), but is unresponsive to your original question.

Regards,
Klaus Hörcher




More information about the Freeradius-Users mailing list